L
Lee Cooper
Hi
I wonder if any of you guys/girls can help.
We are running a Novell Netware 6 network with Windows
2000 client machines using Volitile Dynamic Local Users.
Our problem is that on our machines when the users login,
the users hive security is being changed.
Example Bad Machine:
If you check the ACL in ntuser.dat using regedt32 it shows
the security settings are (Administrators: Full Control,
System:
Full Control, Everyone: Full Control).
When you login to a faulty machine you wouldn't
immediately notice any problems with your profile. This is
because the DACL
on the registry key (HKEY_CURRENT_USER) has been changed
to contain the access control entry for your username. The
machine
also removes the access control entry for the Everyone
Group. This leaves the permissions on the registry key set
as follows.
Administrators: Full Control
System: Full Control
UserName: Full Control
When the user logs out of the machine the local user
account is removed from the machine and the profile
written back to the
server with the new settings.
Say a user has used their machine the previous day and the
profile has been corrupted (see above). The user has got
back to
work the next day and tried to login. The user would then
be faced with all of the symptoms regarding a corrupted
profile.
What in fact has happened is. The user now no longer has
the rights to see the registry key which is stored in the
file
NTUSER.DAT. This is because the machine has removed the
user account when the user logged out previously and now
doesn't know
who the user is referenced in the Security Descriptor of
the registry key in the NTUSER.DAT file. The permissions
now look
like this.
Administrators: Full Control
System: Full Control
S-1-5-21-704....: Full Control
When the user has logged back in to the machine the user
account has been created again, which means it will have a
different
SID associated with it. By looking at the DACL on the
registry key we can see that the only people who can see
this key once
loaded are Administrators and the SID which cannot be
resolved. This shows that the user cannot see any of their
roaming
profile which is where the user's personal settings are
stored.
This doesn't happen everytime you use a machine but as we
have upwards of 10,000 users you can imagine it is a BIG
problem.
We are using all the latest updates to the machines (just
imaged them for start of term) up to Novell Client 4.83
SP2 E and
ZenWorks 3.2.
When the permissions are not changed on the Registry hive
the users are not having any other problems at all.
Any help would be appriciated as we feel we are banging
our heads against a brick wall.
Cheers
Lee Cooper
I wonder if any of you guys/girls can help.
We are running a Novell Netware 6 network with Windows
2000 client machines using Volitile Dynamic Local Users.
Our problem is that on our machines when the users login,
the users hive security is being changed.
Example Bad Machine:
If you check the ACL in ntuser.dat using regedt32 it shows
the security settings are (Administrators: Full Control,
System:
Full Control, Everyone: Full Control).
When you login to a faulty machine you wouldn't
immediately notice any problems with your profile. This is
because the DACL
on the registry key (HKEY_CURRENT_USER) has been changed
to contain the access control entry for your username. The
machine
also removes the access control entry for the Everyone
Group. This leaves the permissions on the registry key set
as follows.
Administrators: Full Control
System: Full Control
UserName: Full Control
When the user logs out of the machine the local user
account is removed from the machine and the profile
written back to the
server with the new settings.
Say a user has used their machine the previous day and the
profile has been corrupted (see above). The user has got
back to
work the next day and tried to login. The user would then
be faced with all of the symptoms regarding a corrupted
profile.
What in fact has happened is. The user now no longer has
the rights to see the registry key which is stored in the
file
NTUSER.DAT. This is because the machine has removed the
user account when the user logged out previously and now
doesn't know
who the user is referenced in the Security Descriptor of
the registry key in the NTUSER.DAT file. The permissions
now look
like this.
Administrators: Full Control
System: Full Control
S-1-5-21-704....: Full Control
When the user has logged back in to the machine the user
account has been created again, which means it will have a
different
SID associated with it. By looking at the DACL on the
registry key we can see that the only people who can see
this key once
loaded are Administrators and the SID which cannot be
resolved. This shows that the user cannot see any of their
roaming
profile which is where the user's personal settings are
stored.
This doesn't happen everytime you use a machine but as we
have upwards of 10,000 users you can imagine it is a BIG
problem.
We are using all the latest updates to the machines (just
imaged them for start of term) up to Novell Client 4.83
SP2 E and
ZenWorks 3.2.
When the permissions are not changed on the Registry hive
the users are not having any other problems at all.
Any help would be appriciated as we feel we are banging
our heads against a brick wall.
Cheers
Lee Cooper